Hackers strike Russia and Iran Networks exploiting Cisco

Last week, the hacking crew “JHT” launched a hacking campaign against CISCO devices in Russian and Iranian networks.

The hackers exploited the Cisco CVE-2018-0171 Smart Install to reset the routers to the startup-config and reboot the devices, then they left the following message to the victims:

“Don’t mess with our elections…. -JHT usafreedom_jht@tutanota.com”

Threat actors used seemly automated tools to exploit Cisco IOS and Cisco IOS XE critical flaws (CVE-2018-0171 & CVE-2018-0156) to cause mass network outages.

Smart Install is a legacy plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches.

The wave of attacks hit thousands of devices in Iran, Iran’s Communication and Information Technology Ministry stated that over 200,000 routers worldwide were affected, with 3,500 of them being in Iran.

“Hackers have attacked networks in a number of countries including data centers in Iran where they left the image of a U.S. flag on screens along with a warning: “Don’t mess with our elections”, the Iranian IT ministry said on Saturday.”

“The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country,” the Communication and Information Technology Ministry said in a statement carried by Iran’s official news agency IRNA.

Iran’s ICT Minister Mohammad Javad Azari-Jahromi stated 95% of the affected routers in the country had been already restored to normal service.

According to the hackers behind the assaults, they scanned the Internet for vulnerable CISCO devices and exploited the flaw against systems in Russia and Iran.

“We were tired of attacks from government-backed hackers on the United States and other countries,” someone in control of an email address left in the note told Motherboard Saturday.
The alleged vigilante hackers also claimed to fix the vulnerability in U.S. and UK routers that they discovered by issuing the no vstack command.